Shellshock – a Security Risk for Millions of Websites

Earlier this year the computer and web world was shaken with the discovery of a security flaw named Heartbleed, and now another one has leered its ugly head and it is called Shellshock. It was recently uncovered by a team at Red Hat and what it basically does is that it enables attackers to place code into “Bash”. Bash being a command line interface that makes it possible for a user to communicate to a Unix based system. While you probably don’t see Bash on a regular basis, in all probability it is running in the background on your system (Mac and Linux both use Bash). Security experts are already saying that Shellshock could very well be worse than Heartbleed and any system that does not install a patched is going to be left open to a variety of malicious and remote attacks. Google and Amazon are already engaged in trying to install a patch to seal this latest leak in internet security.


One of the reasons concerns are growing so fast regarding this is that Bash is in so many systems and has been in the industry for a very long time. Thus, vulnerable software has been deployed over multiple technology platforms around the world for many many years. Thus, this means that millions and machines and possibly millions of website are exposed and totally vulnerable. Troy Hunt points out;


The bigger worry is the devices with no easy patching path, for example your router. Short of checking in with the manufacturer’s website for updated firmware, this is going to be a really hard nut to crack. Often routers provided by ISPs are locked down so that consumers aren’t randomly changing either config or firmware and there’s not always a remote upgrade path they can trigger either. Combine that with the massive array of devices and ages that are out there and this could be particularly tricky. Of course it’s also not the sort of thing your average consumer is going to be comfortable doing themselves either.”


One security firm, Rapid7, has rated the bug as 10 out of 10 for its severity, but “low” for complexity – which means hackers can take advantage of it with as little as 3 lines of code. This new exposure means that hackers could potentially take over control of any exposed machine, break into it and do virtaully as they please. And Shellshock isn’t stopped by you simply changing your passwords, as was the case with a lot of the risk associated with Heartbleed.


Another security expert, Robert Graham (CEO of Errata Security) puts it this way, “It’s really important that people who maintain websites make sure their computers are patched as quickly as they can. Hackers are already going to all websites and trying out this bug ….. a common bit of code that is used all over the place. Years from now we’ll keep finding yet another device that’s still not been patched.”


The severity of Shellshock has even been acknowledged by  the US government, with the US Department of Homeland Security releasing a warning about the bug. The Independent, a British newspaper, posted the following questions and answers on their website;


Q. What is Shellshock?

A. Shellshock is a mistake in the code of a program called Bash, which is typically installed on non-Windows operating systems such as Mac, Unix and Linux. The bug allows hackers to send commands to a computer without having admin status, letting them plant malicious software within systems.

Q. Could it be used to steal my financial details?

A. Yes. If banks or online retailers use older, “mainframe”-style computing systems, they are likely vulnerable. Home routers and modems could also be targeted as a way to get to PCs and laptops.

Q. Are there any indications it has already been exploited?

A. It’s too early to tell. However, authorities fear a deluge of attacks could soon emerge. The US government has rated the security flaw 10 out of 10 for severity.

Q. What can be done to solve it?

A. Security experts around the world are now rushing to find a fix for the bug, but the widespread and varied use of Bash means there won’t be a single solution. Individual organisations and companies such as Apple will develop patches for their own systems.

Q. What can I do to protect against it?

A. Experts recommend not using credit cards or disclosing personal information online for the next few days. Usual precautions are also recommended such as updating anti-virus software and not visiting dodgy websites.


So at this point, be cautious, as you always should be, about storing or disclosing personal and financial information on line. Only share what you feel you must and keep a diligent eye out for anything that might indicate any of your personal data has been compromised, such as strange charges on your credit cards or debits from your bank accounts…. don’t panic but be cautious and diligent.